Find the vulnerability /g/!
If correct, when CryptoAPI.sha1.hash(x) is called, you should be able to run arbitrary code on the machine you're attacking. Assume that x is a value controlled by the attacker.var CryptoAPI = (function() {
var encoding = {
a2b: function(a) { },
b2a: function(b) { }
};
var API = {
sha1: {
name: 'sha1',
identifier: '2b0e03021a',
size: 20,
block: 64,
hash: function(s) {
var len = (s += '\x80').length,
blocks = len >> 6,
chunk = len & 63,
res = "",
i = 0,
j = 0,
H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],
w = [];
while (chunk++ != 56) {
s += "\x00";
if (chunk == 64) {
blocks++;
chunk = 0;
}
}
for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {
s += encoding.b2a(len >> (8 * chunk) & 255);
}
for (i = 0; i < s.length; i++) {
j = (j << 8) + encoding.a2b(s[i]);
if ((i & 3) == 3) {
w[(i >> 2) & 15] = j;
j = 0;
}
if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);
}
for (i = 0; i < H.length; i++)
for (j = 3; j >= 0; j--)
res += encoding.b2a(H[i] >> (8 * j) & 255);
return res;
}, // End "hash"
_round: function(H, w) { }
} // End "sha1"
}; // End "API"
return API; // End body of anonymous function
})(); // End "CryptoAPI"
>>53377344
>JS
all of it
>>53377585
/thread
>>53378495
.thread
>>53377344
shove your homework up your ass faggot
>>53379418
Do it pls
>>53377344
Wouldn't you need to attack the JS sandbox? Or am I misunderstanding the parameters of the problem?
>>53380520
JS Sandbox? Do you mean changing values of the JS 'classes' like Object/Number? Cause you CAN do that and make it work, but for this part I think all you need to do is set var x to a certain value to achieve the result.
Find memory locations and then do bit shifts
Only know how to do it in c with gdb, have fun
>>53380550
You misunderstood me. Here's my problem:
Say you're running this JavaScript code in the browser. By definition of “run arbitrary code on the machine you're attacking”, I assume this means I would be capable of running my shell code with the same privileges as the browser process itself.
But the browser presents no in-JavaScript API to break out of the isolated JavaScript VM. So how exactly are you supposed to run arbitrary code from within JavaScript without first finding a bug in the JavaScript sandbox/implementation itself?
I don't get it.
>>53377344
is x entirely controlled by the attacker, or is it only just a string?
if entirely controlled:var x = {
toString: function () {
//arbitrary code
}
}
CryptoAPI.sha1.hash(x)
>>53380598
Or do you mean I should just be able to run arbitrary JavaScript code?
>>53380598
Yeah, I'm sure they just mean some XSS to run arbitrary JS
>>53377344
Am I stupid or where are a2b, b2a and _round defined?
>>53380613
Wow it works
Do you mind explaining why that works, where's the vulnerability that lets you do that?
>>53380653
I don't even write JS and I get why this works - what the fuck is wrong with you?
>>53380653
>Do you mind explaining why that works
Because adding an object to a string compiles to (x.toString() + string). But isn't that cheating?
I would assume ‘x’ has to be an arbitrary string
Also, do we have to assume a fully spec-conformant JavaScript interpreter with no bugs?
>>53380704
>But isn't that cheating?
Yeah, that's why I said
>is x entirely controlled by the attacker, or is it only just a string?
Because I'm basically cheating unless I can trick whatever takes input to take an object
>>53380704
Well supposedly you can get it to work with x as a string, but I dunno how you'd do that
It does feel like cheating a little bit
>>53377344
If x is a string with no modifications to its functions or prototype and we assume
encoding.b2a
encoding.a2b
CryptoAPI.sha1._round
String.prototype.length
are all secure, then there is no vulnerabilities (no function calls, evals, new Functions, or es6 getters/setters)
You might be able to trick the sha1 to return a bad hash, but you can't run arbitrary code
>>53380934
You're allowed to make changes to its prototype
>>53380974
Then I can already run arbitrary code in the same space as the CryptoAPI.
>>53377344
If I run this function for any input it returns undefined. Is this code broken?
>>53381696
No you jsut have to load the right libraries. But it shouldn't matter for exploitation purposes anyway
>>53381039
Sure, but I don't think that's the point, you're just trying to fuck around with JS enough so that you load your own code through that script's function
